Don’t do it!

The South African Revenue Service (SARS) brand is notorious for being used in Phishing attacks, trying to trick users into divulging banking or other personal information.

See some of the samples here: (Yes, I know it’s a link…) http://www.sars.gov.za/TargTaxCrime/Pages/Scams-and-Phishing.aspx?k=

SARS also shares warnings for things to look out regarding phishing mails:

“Members of the public are randomly emailed with false “spoofed” emails made to look as if these emails were sent from SARS, but are in fact fraudulent emails aimed at enticing unsuspecting taxpayers to part with personal information such as bank account details.”

“Importantly, SARS will not send you any hyperlinks to other websites – even those of banks.”

Good advise, however, the following happened:

It is a Phish?

Yesterday, I received an email message with subject “Please rate your SARS experience“. Now, if you’re a law abiding citizen of the Republic, you’ll know that your online eFiling deadline was 31 October 2018. So emails like these could be expected, but could also be phishing:

In this instance, Gmail is kind enough to show us that the email did not originate from SARS, but came in via bounce.mkt2356[.]com:

South African Revenue Service (SARS)noreply@sars.gov.zavia bounce.mkt2356.com

And they are asking me to click on a link, which is bad. So let’s investigate further…

The Post Office

For this analogy, we’ll run with the idea that I have a letter that I’d like to send to the friendly people at Eskom to enquire about their power generating capability as we are having Stage2 load shedding today.

I decide to drop my well worded letter off at the big red metal post box at the Hatfield Post Office in Pretoria, South Africa.

Upon receiving my letter, the Post Office adds something called an email header to it. An email header keeps track of (among others) all those stamps added to your envelope as it travels past different post offices and mail sorting stations on its way to the friendly folks at Eskom.

Message IDs

One of the many fields contained in the email header is called the Message-ID. This field can help us in our quest to determine where the email originated from. This is in essence the name and serial number of the post box at Hatfield Post Office, as well as a uniquely created tracking number for my letter.

(I’ve changed the URL a bit as it’s most likely unique to each address the mail was sent to)

But mkt2356[.]com isn’t SARS. Let’s take a look where you’ll end up if you clicked it:

So, clicking that link for http://links.mkt2356[.]com would actually get you to the legitimate SARS website https://tools.sars[.]gov.za/SatisfactionSurvey/Surveys/Index/32

However, to make things worse, mkt2356[.]com has a Certificate Name Mismatch error, which will be cause lots of security products to warn you before visiting the site:

And here’s what it looks like when you eventually end at the actual SARS website:

So, it turns out that the MKTxxx domains are owned by IBM’s Watson Campaign Automation digital marketing solution.

So What??

Ok, so at this point you are asking the following: “Come on dude, it’s just SARS using a marketing company to send out emails with unique links so that they can track who actually clicks it after which it take you to the actual SARS page so no need for all this screenshots and stuff so get of your horse and enjoy your load shedding.”

Well, my point is this:

This is not helpful.

We can’t be telling people “DON’T CLICK ON ANYTHING! JUST DON’T” and then send them crappy survey emails with links we want them to click. So the message becomes:

DON’T CLICK ON ANYTHING!*

*Unless we send you stuff via a third party, so then please go ahead and click it, even if it was set up crappy, don’t worry, it’s fine, trust us.